key distribution/verification/update mechanisms other than keyservers

Werner Koch wk at
Wed Jan 17 09:58:21 CET 2018

On Tue, 16 Jan 2018 22:56, kristian.fiskerstrand at

>>  (c) rejected all third-party certifications -- so data attached to a
>>      given primary key is only accepted when certified by that primary
>>      key.
> thanks for this post Daniel, my primary question would be what advantage
> is gained by this verification being done by an arbitrary third party

This can help to avoid DoS attacks.  I would love to see that to get my
key down to a reasonable size. 

OpenPGP specifies Key Server Preferences ( with just one flag:

   First octet: 0x80 = No-modify the key holder requests that this key
   only be modified or updated by the key holder or an administrator of
   the key server.

By default GnuPG sets this flag but unfortunately it has no effect
because it is not defined on how the keyserver can check this condition.

A way to implement this without requiring an external protocol would be
an extension to OpenPGP to either allow an Embedded Signature (
in a key signature.  With ECC this would not increase the size of a key
signature too much.  It puts a burden on the keyservers to check this
signature during an upload, though.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list